From: Jacques Gelinas (jack_at_solucorp.qc.ca)
Date: Mon 09 Dec 2002 - 15:03:10 GMT
1.1. kernel 2.4.19ctx-15
A new kernel patch is available. It tool some time to achieve/debug
(another tcp_tw_bucket issue, like ctx-9). Here are the features:
+ When sending an UDP request, the ipv4root is used as the source IP.
Prior to ctx-15, an IP of the host server was used, so the reply
was never getting back. ypbind in broadcast mode was failing
because of that.
+ Bind(any) with multiple IPs. This was not working previously. You
had to setup one listening socket per IP. Now, the default
operation mode of most IP services, does what you expect: It
receives any request coming to one of the IPs of the vserver.
+ Bind(any) and netstat: When performing a bind(any), it will show
this way in netstat. Cool. there is one little catch. If you
perform a netstat in the root server using the security context 1
(so you can see sockets of all vservers), you will see potentially
several sockets bound to the same port using the 0.0.0.0 address.
This is normal. Unless two vserver are sharing some IPs, they are
allowed to do a bind(0.0.0.0) on the same port and it will show
this way. So this is a little strange in the root server, but
perfectly ok in the vserver.
+ A small optimization with bind(any) and a single IP. The previous
semantic was to map a bind(any) to the first IP of the vserver
(ipv4root). This semantic was kept as an optimization in the kernel
in the case where a vserver has a single IP. This is the common
This optimization may go away, maybe, when we will attack the per
vserver private network loopback. Depending on the solution
selected, the common case may become two IPs per vserver (the
loopback and the main IP).
I have not done any benchmark with the new bind(any) stuff. It might
be a little slower. Potentially not visible. Comments welcome.
1.2. newvserver: Excluded directories
When building a new vserver out of another, you can exclude few
directories. Only the directory structure will be copied. By default,
newvserver exclude /var/log, /var/run and /var/spool/mail.
There is a TAB in the form to enter up to 4 directories to exclude.
1.3. newvserver: sshd cleanup
When cloning a vserver, you may want to reset the sshd private keys so
new ones are generated. A check-box is now provided to handle that. It
is on by default.
This avoids having all your vserver ending with the same sshd private
1.4. Per IP netmask
The IPROOT entry in the vserver configuration file now support one
netmask per entry. The complete syntax is
where stuff in square bracket is optional.
1.5. server run-level
A vserver does not use its own init process unless fakeinit is used.
Normally /sbin/init writes into /var/run/utmp to record the current
run-level and some tools are using that.
Now even if you are not using fakeinit, /var/run/utmp is properly
initialized with the proper runlevel (as found in /etc/inittab).
1.6. vbuild: new --excldir option
When using vbuild to clone a vserver, you can use the --excldir option
repeatedly to exclude some files. The directory structure is
duplicated, but no file is copied. This is used by newvserver.
1.7. vrpm: No unification is /var/log
When using the --unify, the /var/log directory is excluded. Some
packages are owning files there and are not tagged as configuration
file (which is fair). Unifying those files is creating problems.
This problem was specific to /var/log (and everything under) as far as
I can see, so this is hard-coded in the vrpm script.
1.8. vserver profiles
It is sometime useful to operate a vserver with some settings and then
operate it with different settings. A setting is called a profile and
covers the S_HOSTNAME, IPROOT and IPROOTDEV.
There are two ways to select a profile:
+ Edit the configuration file and insert PROFILE=somename
+ PROFILE=somename vserver XX start
Once you have started a vserver with a given profile, it is stored in
the /var/run/vserver/XX.ctx file, so you can enter and stop the
vserver using the active profile, even if you have changed the profile
value in the configuration file.
The newvserver tool has been modified so you can immediately enter the
second profile value. By default, one profile is called prod and the
other is called backup.
vservers may be used as a fail-over strategy where whole servers may
be switched on and off on the fly. Now one may use some
synchronization tool (rsync ?) to make sure the backup is up to date.
Sometime, it is not enough and you wish to maintain the backup in sync
with the production vserver in real-time or almost. To perform that,
you need to enable the backup server, but you can't do that unless you
provide different network setting (avoid having two vserver running
with the same IP). So the profile concept was introduced.
When starting a vserver using a given profile, the environment
variable PROFILE is defined so you can perform various action such as
exchanging key configuration file, starting services differently and
Linuxconf users may want to enable the switchprofile pseudo service
(available lately) to switch between different configuration file set.
1.9. vserver: empty IPROOT
When a vserver must run with the same IP as the root server, the trick
was to set IPROOT=0.0.0.0. Now setting an empty IPROOT is equivalent
(and more intuitive).
2. Bug fixes
2.1. vserver: setting resources when using enter or exec
The vserver was not setting the ulimit resources when performing an
"enter" or "exec" command. Fixed!
Jacques Gelinas <jack_at_solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!